<?php
/**
 * Zend Framework
 *
 * LICENSE
 *
 * This source file is subject to the new BSD license that is bundled
 * with this package in the file LICENSE.txt.
 * It is also available through the world-wide-web at this URL:
 * http://framework.zend.com/license/new-bsd
 * If you did not receive a copy of the license and are unable to
 * obtain it through the world-wide-web, please send an email
 * to license@zend.com so we can send you a copy immediately.
 *
 * @category   Zend
 * @package    Zend_Auth
 * @subpackage Zend_Auth_Adapter_Http
 * @copyright  Copyright (c) 2005-2011 Zend Technologies USA Inc. (http://www.zend.com)
 * @license    http://framework.zend.com/license/new-bsd     New BSD License
 * @version    $Id: Http.php 23775 2011-03-01 17:25:24Z ralph $
 */

/**
 * @see Zend_Auth_Adapter_Interface
 */
require_once 'Zend/Auth/Adapter/Interface.php';

/**
 * HTTP Authentication Adapter
 *
 * Implements a pretty good chunk of RFC 2617.
 *
 * @category   Zend
 * @package    Zend_Auth
 * @subpackage Zend_Auth_Adapter_Http
 * @copyright  Copyright (c) 2005-2011 Zend Technologies USA Inc. (http://www.zend.com)
 * @license    http://framework.zend.com/license/new-bsd     New BSD License
 * @todo       Support auth-int
 * @todo       Track nonces, nonce-count, opaque for replay protection and stale support
 * @todo       Support Authentication-Info header
 */
class Zend_Auth_Adapter_Http implements Zend_Auth_Adapter_Interface {
	/**
	 * Reference to the HTTP Request object
	 *
	 * @var Zend_Controller_Request_Http
	 */
	protected $_request;
	
	/**
	 * Reference to the HTTP Response object
	 *
	 * @var Zend_Controller_Response_Http
	 */
	protected $_response;
	
	/**
	 * Object that looks up user credentials for the Basic scheme
	 *
	 * @var Zend_Auth_Adapter_Http_Resolver_Interface
	 */
	protected $_basicResolver;
	
	/**
	 * Object that looks up user credentials for the Digest scheme
	 *
	 * @var Zend_Auth_Adapter_Http_Resolver_Interface
	 */
	protected $_digestResolver;
	
	/**
	 * List of authentication schemes supported by this class
	 *
	 * @var array
	 */
	protected $_supportedSchemes = array ('basic', 'digest' );
	
	/**
	 * List of schemes this class will accept from the client
	 *
	 * @var array
	 */
	protected $_acceptSchemes;
	
	/**
	 * Space-delimited list of protected domains for Digest Auth
	 *
	 * @var string
	 */
	protected $_domains;
	
	/**
	 * The protection realm to use
	 *
	 * @var string
	 */
	protected $_realm;
	
	/**
	 * Nonce timeout period
	 *
	 * @var integer
	 */
	protected $_nonceTimeout;
	
	/**
	 * Whether to send the opaque value in the header. True by default
	 *
	 * @var boolean
	 */
	protected $_useOpaque;
	
	/**
	 * List of the supported digest algorithms. I want to support both MD5 and
	 * MD5-sess, but MD5-sess won't make it into the first version.
	 *
	 * @var array
	 */
	protected $_supportedAlgos = array ('MD5' );
	
	/**
	 * The actual algorithm to use. Defaults to MD5
	 *
	 * @var string
	 */
	protected $_algo;
	
	/**
	 * List of supported qop options. My intetion is to support both 'auth' and
	 * 'auth-int', but 'auth-int' won't make it into the first version.
	 *
	 * @var array
	 */
	protected $_supportedQops = array ('auth' );
	
	/**
	 * Whether or not to do Proxy Authentication instead of origin server
	 * authentication (send 407's instead of 401's). Off by default.
	 *
	 * @var boolean
	 */
	protected $_imaProxy;
	
	/**
	 * Flag indicating the client is IE and didn't bother to return the opaque string
	 *
	 * @var boolean
	 */
	protected $_ieNoOpaque;
	
	/**
	 * Constructor
	 *
	 * @param  array $config Configuration settings:
	 * 'accept_schemes' => 'basic'|'digest'|'basic digest'
	 * 'realm' => <string>
	 * 'digest_domains' => <string> Space-delimited list of URIs
	 * 'nonce_timeout' => <int>
	 * 'use_opaque' => <bool> Whether to send the opaque value in the header
	 * 'alogrithm' => <string> See $_supportedAlgos. Default: MD5
	 * 'proxy_auth' => <bool> Whether to do authentication as a Proxy
	 * @throws Zend_Auth_Adapter_Exception
	 * @return void
	 */
	public function __construct(array $config) {
		if (! extension_loaded ( 'hash' )) {
			/**
			 * @see Zend_Auth_Adapter_Exception
			 */
			require_once 'Zend/Auth/Adapter/Exception.php';
			throw new Zend_Auth_Adapter_Exception ( __CLASS__ . ' requires the \'hash\' extension' );
		}
		
		$this->_request = null;
		$this->_response = null;
		$this->_ieNoOpaque = false;
		
		if (empty ( $config ['accept_schemes'] )) {
			/**
			 * @see Zend_Auth_Adapter_Exception
			 */
			require_once 'Zend/Auth/Adapter/Exception.php';
			throw new Zend_Auth_Adapter_Exception ( 'Config key \'accept_schemes\' is required' );
		}
		
		$schemes = explode ( ' ', $config ['accept_schemes'] );
		$this->_acceptSchemes = array_intersect ( $schemes, $this->_supportedSchemes );
		if (empty ( $this->_acceptSchemes )) {
			/**
			 * @see Zend_Auth_Adapter_Exception
			 */
			require_once 'Zend/Auth/Adapter/Exception.php';
			throw new Zend_Auth_Adapter_Exception ( 'No supported schemes given in \'accept_schemes\'. Valid values: ' . implode ( ', ', $this->_supportedSchemes ) );
		}
		
		// Double-quotes are used to delimit the realm string in the HTTP header,
		// and colons are field delimiters in the password file.
		if (empty ( $config ['realm'] ) || ! ctype_print ( $config ['realm'] ) || strpos ( $config ['realm'], ':' ) !== false || strpos ( $config ['realm'], '"' ) !== false) {
			/**
			 * @see Zend_Auth_Adapter_Exception
			 */
			require_once 'Zend/Auth/Adapter/Exception.php';
			throw new Zend_Auth_Adapter_Exception ( 'Config key \'realm\' is required, and must contain only printable ' . 'characters, excluding quotation marks and colons' );
		} else {
			$this->_realm = $config ['realm'];
		}
		
		if (in_array ( 'digest', $this->_acceptSchemes )) {
			if (empty ( $config ['digest_domains'] ) || ! ctype_print ( $config ['digest_domains'] ) || strpos ( $config ['digest_domains'], '"' ) !== false) {
				/**
				 * @see Zend_Auth_Adapter_Exception
				 */
				require_once 'Zend/Auth/Adapter/Exception.php';
				throw new Zend_Auth_Adapter_Exception ( 'Config key \'digest_domains\' is required, and must contain ' . 'only printable characters, excluding quotation marks' );
			} else {
				$this->_domains = $config ['digest_domains'];
			}
			
			if (empty ( $config ['nonce_timeout'] ) || ! is_numeric ( $config ['nonce_timeout'] )) {
				/**
				 * @see Zend_Auth_Adapter_Exception
				 */
				require_once 'Zend/Auth/Adapter/Exception.php';
				throw new Zend_Auth_Adapter_Exception ( 'Config key \'nonce_timeout\' is required, and must be an ' . 'integer' );
			} else {
				$this->_nonceTimeout = ( int ) $config ['nonce_timeout'];
			}
			
			// We use the opaque value unless explicitly told not to
			if (isset ( $config ['use_opaque'] ) && false == ( bool ) $config ['use_opaque']) {
				$this->_useOpaque = false;
			} else {
				$this->_useOpaque = true;
			}
			
			if (isset ( $config ['algorithm'] ) && in_array ( $config ['algorithm'], $this->_supportedAlgos )) {
				$this->_algo = $config ['algorithm'];
			} else {
				$this->_algo = 'MD5';
			}
		}
		
		// Don't be a proxy unless explicitly told to do so
		if (isset ( $config ['proxy_auth'] ) && true == ( bool ) $config ['proxy_auth']) {
			$this->_imaProxy = true; // I'm a Proxy
		} else {
			$this->_imaProxy = false;
		}
	}
	
	/**
	 * Setter for the _basicResolver property
	 *
	 * @param  Zend_Auth_Adapter_Http_Resolver_Interface $resolver
	 * @return Zend_Auth_Adapter_Http Provides a fluent interface
	 */
	public function setBasicResolver(Zend_Auth_Adapter_Http_Resolver_Interface $resolver) {
		$this->_basicResolver = $resolver;
		
		return $this;
	}
	
	/**
	 * Getter for the _basicResolver property
	 *
	 * @return Zend_Auth_Adapter_Http_Resolver_Interface
	 */
	public function getBasicResolver() {
		return $this->_basicResolver;
	}
	
	/**
	 * Setter for the _digestResolver property
	 *
	 * @param  Zend_Auth_Adapter_Http_Resolver_Interface $resolver
	 * @return Zend_Auth_Adapter_Http Provides a fluent interface
	 */
	public function setDigestResolver(Zend_Auth_Adapter_Http_Resolver_Interface $resolver) {
		$this->_digestResolver = $resolver;
		
		return $this;
	}
	
	/**
	 * Getter for the _digestResolver property
	 *
	 * @return Zend_Auth_Adapter_Http_Resolver_Interface
	 */
	public function getDigestResolver() {
		return $this->_digestResolver;
	}
	
	/**
	 * Setter for the Request object
	 *
	 * @param  Zend_Controller_Request_Http $request
	 * @return Zend_Auth_Adapter_Http Provides a fluent interface
	 */
	public function setRequest(Zend_Controller_Request_Http $request) {
		$this->_request = $request;
		
		return $this;
	}
	
	/**
	 * Getter for the Request object
	 *
	 * @return Zend_Controller_Request_Http
	 */
	public function getRequest() {
		return $this->_request;
	}
	
	/**
	 * Setter for the Response object
	 *
	 * @param  Zend_Controller_Response_Http $response
	 * @return Zend_Auth_Adapter_Http Provides a fluent interface
	 */
	public function setResponse(Zend_Controller_Response_Http $response) {
		$this->_response = $response;
		
		return $this;
	}
	
	/**
	 * Getter for the Response object
	 *
	 * @return Zend_Controller_Response_Http
	 */
	public function getResponse() {
		return $this->_response;
	}
	
	/**
	 * Authenticate
	 *
	 * @throws Zend_Auth_Adapter_Exception
	 * @return Zend_Auth_Result
	 */
	public function authenticate() {
		if (empty ( $this->_request ) || empty ( $this->_response )) {
			/**
			 * @see Zend_Auth_Adapter_Exception
			 */
			require_once 'Zend/Auth/Adapter/Exception.php';
			throw new Zend_Auth_Adapter_Exception ( 'Request and Response objects must be set before calling ' . 'authenticate()' );
		}
		
		if ($this->_imaProxy) {
			$getHeader = 'Proxy-Authorization';
		} else {
			$getHeader = 'Authorization';
		}
		
		$authHeader = $this->_request->getHeader ( $getHeader );
		if (! $authHeader) {
			return $this->_challengeClient ();
		}
		
		list ( $clientScheme ) = explode ( ' ', $authHeader );
		$clientScheme = strtolower ( $clientScheme );
		
		// The server can issue multiple challenges, but the client should
		// answer with only the selected auth scheme.
		if (! in_array ( $clientScheme, $this->_supportedSchemes )) {
			$this->_response->setHttpResponseCode ( 400 );
			return new Zend_Auth_Result ( Zend_Auth_Result::FAILURE_UNCATEGORIZED, array (), array ('Client requested an incorrect or unsupported authentication scheme' ) );
		}
		
		// client sent a scheme that is not the one required
		if (! in_array ( $clientScheme, $this->_acceptSchemes )) {
			// challenge again the client
			return $this->_challengeClient ();
		}
		
		switch ($clientScheme) {
			case 'basic' :
				$result = $this->_basicAuth ( $authHeader );
				break;
			case 'digest' :
				$result = $this->_digestAuth ( $authHeader );
				break;
			default :
				/**
				 * @see Zend_Auth_Adapter_Exception
				 */
				require_once 'Zend/Auth/Adapter/Exception.php';
				throw new Zend_Auth_Adapter_Exception ( 'Unsupported authentication scheme' );
		}
		
		return $result;
	}
	
	/**
	 * Challenge Client
	 *
	 * Sets a 401 or 407 Unauthorized response code, and creates the
	 * appropriate Authenticate header(s) to prompt for credentials.
	 *
	 * @return Zend_Auth_Result Always returns a non-identity Auth result
	 */
	protected function _challengeClient() {
		if ($this->_imaProxy) {
			$statusCode = 407;
			$headerName = 'Proxy-Authenticate';
		} else {
			$statusCode = 401;
			$headerName = 'WWW-Authenticate';
		}
		
		$this->_response->setHttpResponseCode ( $statusCode );
		
		// Send a challenge in each acceptable authentication scheme
		if (in_array ( 'basic', $this->_acceptSchemes )) {
			$this->_response->setHeader ( $headerName, $this->_basicHeader () );
		}
		if (in_array ( 'digest', $this->_acceptSchemes )) {
			$this->_response->setHeader ( $headerName, $this->_digestHeader () );
		}
		return new Zend_Auth_Result ( Zend_Auth_Result::FAILURE_CREDENTIAL_INVALID, array (), array ('Invalid or absent credentials; challenging client' ) );
	}
	
	/**
	 * Basic Header
	 *
	 * Generates a Proxy- or WWW-Authenticate header value in the Basic
	 * authentication scheme.
	 *
	 * @return string Authenticate header value
	 */
	protected function _basicHeader() {
		return 'Basic realm="' . $this->_realm . '"';
	}
	
	/**
	 * Digest Header
	 *
	 * Generates a Proxy- or WWW-Authenticate header value in the Digest
	 * authentication scheme.
	 *
	 * @return string Authenticate header value
	 */
	protected function _digestHeader() {
		$wwwauth = 'Digest realm="' . $this->_realm . '", ' . 'domain="' . $this->_domains . '", ' . 'nonce="' . $this->_calcNonce () . '", ' . ($this->_useOpaque ? 'opaque="' . $this->_calcOpaque () . '", ' : '') . 'algorithm="' . $this->_algo . '", ' . 'qop="' . implode ( ',', $this->_supportedQops ) . '"';
		
		return $wwwauth;
	}
	
	/**
	 * Basic Authentication
	 *
	 * @param  string $header Client's Authorization header
	 * @throws Zend_Auth_Adapter_Exception
	 * @return Zend_Auth_Result
	 */
	protected function _basicAuth($header) {
		if (empty ( $header )) {
			/**
			 * @see Zend_Auth_Adapter_Exception
			 */
			require_once 'Zend/Auth/Adapter/Exception.php';
			throw new Zend_Auth_Adapter_Exception ( 'The value of the client Authorization header is required' );
		}
		if (empty ( $this->_basicResolver )) {
			/**
			 * @see Zend_Auth_Adapter_Exception
			 */
			require_once 'Zend/Auth/Adapter/Exception.php';
			throw new Zend_Auth_Adapter_Exception ( 'A basicResolver object must be set before doing Basic ' . 'authentication' );
		}
		
		// Decode the Authorization header
		$auth = substr ( $header, strlen ( 'Basic ' ) );
		$auth = base64_decode ( $auth );
		if (! $auth) {
			/**
			 * @see Zend_Auth_Adapter_Exception
			 */
			require_once 'Zend/Auth/Adapter/Exception.php';
			throw new Zend_Auth_Adapter_Exception ( 'Unable to base64_decode Authorization header value' );
		}
		
		// See ZF-1253. Validate the credentials the same way the digest
		// implementation does. If invalid credentials are detected,
		// re-challenge the client.
		if (! ctype_print ( $auth )) {
			return $this->_challengeClient ();
		}
		// Fix for ZF-1515: Now re-challenges on empty username or password
		$creds = array_filter ( explode ( ':', $auth ) );
		if (count ( $creds ) != 2) {
			return $this->_challengeClient ();
		}
		
		$password = $this->_basicResolver->resolve ( $creds [0], $this->_realm );
		if ($password && $this->_secureStringCompare ( $password, $creds [1] )) {
			$identity = array ('username' => $creds [0], 'realm' => $this->_realm );
			return new Zend_Auth_Result ( Zend_Auth_Result::SUCCESS, $identity );
		} else {
			return $this->_challengeClient ();
		}
	}
	
	/**
	 * Digest Authentication
	 *
	 * @param  string $header Client's Authorization header
	 * @throws Zend_Auth_Adapter_Exception
	 * @return Zend_Auth_Result Valid auth result only on successful auth
	 */
	protected function _digestAuth($header) {
		if (empty ( $header )) {
			/**
			 * @see Zend_Auth_Adapter_Exception
			 */
			require_once 'Zend/Auth/Adapter/Exception.php';
			throw new Zend_Auth_Adapter_Exception ( 'The value of the client Authorization header is required' );
		}
		if (empty ( $this->_digestResolver )) {
			/**
			 * @see Zend_Auth_Adapter_Exception
			 */
			require_once 'Zend/Auth/Adapter/Exception.php';
			throw new Zend_Auth_Adapter_Exception ( 'A digestResolver object must be set before doing Digest authentication' );
		}
		
		$data = $this->_parseDigestAuth ( $header );
		if ($data === false) {
			$this->_response->setHttpResponseCode ( 400 );
			return new Zend_Auth_Result ( Zend_Auth_Result::FAILURE_UNCATEGORIZED, array (), array ('Invalid Authorization header format' ) );
		}
		
		// See ZF-1052. This code was a bit too unforgiving of invalid
		// usernames. Now, if the username is bad, we re-challenge the client.
		if ('::invalid::' == $data ['username']) {
			return $this->_challengeClient ();
		}
		
		// Verify that the client sent back the same nonce
		if ($this->_calcNonce () != $data ['nonce']) {
			return $this->_challengeClient ();
		}
		// The opaque value is also required to match, but of course IE doesn't
		// play ball.
		if (! $this->_ieNoOpaque && $this->_calcOpaque () != $data ['opaque']) {
			return $this->_challengeClient ();
		}
		
		// Look up the user's password hash. If not found, deny access.
		// This makes no assumptions about how the password hash was
		// constructed beyond that it must have been built in such a way as
		// to be recreatable with the current settings of this object.
		$ha1 = $this->_digestResolver->resolve ( $data ['username'], $data ['realm'] );
		if ($ha1 === false) {
			return $this->_challengeClient ();
		}
		
		// If MD5-sess is used, a1 value is made of the user's password
		// hash with the server and client nonce appended, separated by
		// colons.
		if ($this->_algo == 'MD5-sess') {
			$ha1 = hash ( 'md5', $ha1 . ':' . $data ['nonce'] . ':' . $data ['cnonce'] );
		}
		
		// Calculate h(a2). The value of this hash depends on the qop
		// option selected by the client and the supported hash functions
		switch ($data ['qop']) {
			case 'auth' :
				$a2 = $this->_request->getMethod () . ':' . $data ['uri'];
				break;
			case 'auth-int' :
			// Should be REQUEST_METHOD . ':' . uri . ':' . hash(entity-body),
			// but this isn't supported yet, so fall through to default case
			default :
				/**
				 * @see Zend_Auth_Adapter_Exception
				 */
				require_once 'Zend/Auth/Adapter/Exception.php';
				throw new Zend_Auth_Adapter_Exception ( 'Client requested an unsupported qop option' );
		}
		// Using hash() should make parameterizing the hash algorithm
		// easier
		$ha2 = hash ( 'md5', $a2 );
		
		// Calculate the server's version of the request-digest. This must
		// match $data['response']. See RFC 2617, section 3.2.2.1
		$message = $data ['nonce'] . ':' . $data ['nc'] . ':' . $data ['cnonce'] . ':' . $data ['qop'] . ':' . $ha2;
		$digest = hash ( 'md5', $ha1 . ':' . $message );
		
		// If our digest matches the client's let them in, otherwise return
		// a 401 code and exit to prevent access to the protected resource.
		if ($this->_secureStringCompare ( $digest, $data ['response'] )) {
			$identity = array ('username' => $data ['username'], 'realm' => $data ['realm'] );
			return new Zend_Auth_Result ( Zend_Auth_Result::SUCCESS, $identity );
		} else {
			return $this->_challengeClient ();
		}
	}
	
	/**
	 * Calculate Nonce
	 *
	 * @return string The nonce value
	 */
	protected function _calcNonce() {
		// Once subtle consequence of this timeout calculation is that it
		// actually divides all of time into _nonceTimeout-sized sections, such
		// that the value of timeout is the point in time of the next
		// approaching "boundary" of a section. This allows the server to
		// consistently generate the same timeout (and hence the same nonce
		// value) across requests, but only as long as one of those
		// "boundaries" is not crossed between requests. If that happens, the
		// nonce will change on its own, and effectively log the user out. This
		// would be surprising if the user just logged in.
		$timeout = ceil ( time () / $this->_nonceTimeout ) * $this->_nonceTimeout;
		
		$nonce = hash ( 'md5', $timeout . ':' . $this->_request->getServer ( 'HTTP_USER_AGENT' ) . ':' . __CLASS__ );
		return $nonce;
	}
	
	/**
	 * Calculate Opaque
	 *
	 * The opaque string can be anything; the client must return it exactly as
	 * it was sent. It may be useful to store data in this string in some
	 * applications. Ideally, a new value for this would be generated each time
	 * a WWW-Authenticate header is sent (in order to reduce predictability),
	 * but we would have to be able to create the same exact value across at
	 * least two separate requests from the same client.
	 *
	 * @return string The opaque value
	 */
	protected function _calcOpaque() {
		return hash ( 'md5', 'Opaque Data:' . __CLASS__ );
	}
	
	/**
	 * Parse Digest Authorization header
	 *
	 * @param  string $header Client's Authorization: HTTP header
	 * @return array|false Data elements from header, or false if any part of
	 * the header is invalid
	 */
	protected function _parseDigestAuth($header) {
		$temp = null;
		$data = array ();
		
		// See ZF-1052. Detect invalid usernames instead of just returning a
		// 400 code.
		$ret = preg_match ( '/username="([^"]+)"/', $header, $temp );
		if (! $ret || empty ( $temp [1] ) || ! ctype_print ( $temp [1] ) || strpos ( $temp [1], ':' ) !== false) {
			$data ['username'] = '::invalid::';
		} else {
			$data ['username'] = $temp [1];
		}
		$temp = null;
		
		$ret = preg_match ( '/realm="([^"]+)"/', $header, $temp );
		if (! $ret || empty ( $temp [1] )) {
			return false;
		}
		if (! ctype_print ( $temp [1] ) || strpos ( $temp [1], ':' ) !== false) {
			return false;
		} else {
			$data ['realm'] = $temp [1];
		}
		$temp = null;
		
		$ret = preg_match ( '/nonce="([^"]+)"/', $header, $temp );
		if (! $ret || empty ( $temp [1] )) {
			return false;
		}
		if (! ctype_xdigit ( $temp [1] )) {
			return false;
		} else {
			$data ['nonce'] = $temp [1];
		}
		$temp = null;
		
		$ret = preg_match ( '/uri="([^"]+)"/', $header, $temp );
		if (! $ret || empty ( $temp [1] )) {
			return false;
		}
		// Section 3.2.2.5 in RFC 2617 says the authenticating server must
		// verify that the URI field in the Authorization header is for the
		// same resource requested in the Request Line.
		$rUri = @parse_url ( $this->_request->getRequestUri () );
		$cUri = @parse_url ( $temp [1] );
		if (false === $rUri || false === $cUri) {
			return false;
		} else {
			// Make sure the path portion of both URIs is the same
			if ($rUri ['path'] != $cUri ['path']) {
				return false;
			}
			// Section 3.2.2.5 seems to suggest that the value of the URI
			// Authorization field should be made into an absolute URI if the
			// Request URI is absolute, but it's vague, and that's a bunch of
			// code I don't want to write right now.
			$data ['uri'] = $temp [1];
		}
		$temp = null;
		
		$ret = preg_match ( '/response="([^"]+)"/', $header, $temp );
		if (! $ret || empty ( $temp [1] )) {
			return false;
		}
		if (32 != strlen ( $temp [1] ) || ! ctype_xdigit ( $temp [1] )) {
			return false;
		} else {
			$data ['response'] = $temp [1];
		}
		$temp = null;
		
		// The spec says this should default to MD5 if omitted. OK, so how does
		// that square with the algo we send out in the WWW-Authenticate header,
		// if it can easily be overridden by the client?
		$ret = preg_match ( '/algorithm="?(' . $this->_algo . ')"?/', $header, $temp );
		if ($ret && ! empty ( $temp [1] ) && in_array ( $temp [1], $this->_supportedAlgos )) {
			$data ['algorithm'] = $temp [1];
		} else {
			$data ['algorithm'] = 'MD5'; // = $this->_algo; ?
		}
		$temp = null;
		
		// Not optional in this implementation
		$ret = preg_match ( '/cnonce="([^"]+)"/', $header, $temp );
		if (! $ret || empty ( $temp [1] )) {
			return false;
		}
		if (! ctype_print ( $temp [1] )) {
			return false;
		} else {
			$data ['cnonce'] = $temp [1];
		}
		$temp = null;
		
		// If the server sent an opaque value, the client must send it back
		if ($this->_useOpaque) {
			$ret = preg_match ( '/opaque="([^"]+)"/', $header, $temp );
			if (! $ret || empty ( $temp [1] )) {
				
				// Big surprise: IE isn't RFC 2617-compliant.
				if (false !== strpos ( $this->_request->getHeader ( 'User-Agent' ), 'MSIE' )) {
					$temp [1] = '';
					$this->_ieNoOpaque = true;
				} else {
					return false;
				}
			}
			// This implementation only sends MD5 hex strings in the opaque value
			if (! $this->_ieNoOpaque && (32 != strlen ( $temp [1] ) || ! ctype_xdigit ( $temp [1] ))) {
				return false;
			} else {
				$data ['opaque'] = $temp [1];
			}
			$temp = null;
		}
		
		// Not optional in this implementation, but must be one of the supported
		// qop types
		$ret = preg_match ( '/qop="?(' . implode ( '|', $this->_supportedQops ) . ')"?/', $header, $temp );
		if (! $ret || empty ( $temp [1] )) {
			return false;
		}
		if (! in_array ( $temp [1], $this->_supportedQops )) {
			return false;
		} else {
			$data ['qop'] = $temp [1];
		}
		$temp = null;
		
		// Not optional in this implementation. The spec says this value
		// shouldn't be a quoted string, but apparently some implementations
		// quote it anyway. See ZF-1544.
		$ret = preg_match ( '/nc="?([0-9A-Fa-f]{8})"?/', $header, $temp );
		if (! $ret || empty ( $temp [1] )) {
			return false;
		}
		if (8 != strlen ( $temp [1] ) || ! ctype_xdigit ( $temp [1] )) {
			return false;
		} else {
			$data ['nc'] = $temp [1];
		}
		$temp = null;
		
		return $data;
	}
	
	/**
	 * Securely compare two strings for equality while avoided C level memcmp()
	 * optimisations capable of leaking timing information useful to an attacker
	 * attempting to iteratively guess the unknown string (e.g. password) being
	 * compared against.
	 *
	 * @param string $a
	 * @param string $b
	 * @return bool
	 */
	protected function _secureStringCompare($a, $b) {
		if (strlen ( $a ) !== strlen ( $b )) {
			return false;
		}
		$result = 0;
		for($i = 0; $i < strlen ( $a ); $i ++) {
			$result |= ord ( $a [$i] ) ^ ord ( $b [$i] );
		}
		return $result == 0;
	}
}
